{
    "type": "bundle",
    "id": "bundle--58e3e7e5-90d8-43f1-a070-4520950d210f",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:54:06.000Z",
            "modified": "2017-04-04T18:54:06.000Z",
            "name": "CIRCL",
            "identity_class": "organization"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--58e3e7e5-90d8-43f1-a070-4520950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:54:06.000Z",
            "modified": "2017-04-04T18:54:06.000Z",
            "name": "OSINT - An Investigation of Chrysaor Malware on Android",
            "published": "2017-04-04T18:54:20Z",
            "object_refs": [
                "observed-data--58e3e80a-1250-40c3-8ab6-4e18950d210f",
                "url--58e3e80a-1250-40c3-8ab6-4e18950d210f",
                "x-misp-attribute--58e3e82c-6c88-446e-9a88-4d98950d210f",
                "indicator--58e3e9c9-4b54-4ce9-8237-47fe950d210f",
                "x-misp-attribute--58e3e9da-6394-4d85-ac57-4029950d210f",
                "indicator--58e3ea29-86c0-4bb3-ab7b-40fb950d210f",
                "indicator--58e3ea87-fe34-448b-9b9e-4895950d210f",
                "indicator--58e3ea88-e9dc-47c8-a4cc-4c6f950d210f",
                "indicator--58e3ea89-1f78-412f-9941-4ac9950d210f",
                "indicator--58e3ea8a-2ca8-4972-8749-454e950d210f",
                "indicator--58e3ea8b-f844-4e71-a327-4547950d210f",
                "indicator--58e3eae1-8228-455b-b542-4227950d210f",
                "indicator--58e3eb2a-60ec-4774-ba81-4ccf02de0b81",
                "indicator--58e3eb2b-fec4-4fbb-9136-449b02de0b81",
                "observed-data--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81",
                "url--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81",
                "indicator--58e3eb2d-75e0-4eb4-a396-483c02de0b81",
                "indicator--58e3eb2e-9fc8-41a4-b604-4d7802de0b81",
                "observed-data--58e3eb2f-b968-413f-82c3-41f102de0b81",
                "url--58e3eb2f-b968-413f-82c3-41f102de0b81",
                "indicator--58e3eb30-c914-457f-8fbd-4d7602de0b81",
                "indicator--58e3eb31-3b7c-4aff-bf5b-494602de0b81",
                "observed-data--58e3eb32-eef4-4ed4-b8a4-42b802de0b81",
                "url--58e3eb32-eef4-4ed4-b8a4-42b802de0b81"
            ],
            "labels": [
                "Threat-Report",
                "misp:tool=\"MISP-STIX-Converter\"",
                "osint:source-type=\"blog-post\"",
                "misp-galaxy:tool=\"Chrysaor\""
            ],
            "object_marking_refs": [
                "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58e3e80a-1250-40c3-8ab6-4e18950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "first_observed": "2017-04-04T18:51:11Z",
            "last_observed": "2017-04-04T18:51:11Z",
            "number_observed": 1,
            "object_refs": [
                "url--58e3e80a-1250-40c3-8ab6-4e18950d210f"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58e3e80a-1250-40c3-8ab6-4e18950d210f",
            "value": "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--58e3e82c-6c88-446e-9a88-4d98950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "labels": [
                "misp:type=\"text\"",
                "misp:category=\"External analysis\"",
                "osint:source-type=\"blog-post\""
            ],
            "x_misp_category": "External analysis",
            "x_misp_type": "text",
            "x_misp_value": "In this blog post, we describe Chrysaor, a newly discovered family of spyware that was used in a targeted attack on a small number of Android devices, and how investigations like this help Google protect Android users from a variety of threats."
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3e9c9-4b54-4ce9-8237-47fe950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target",
            "pattern": "[file:hashes.SHA256 = 'ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "x-misp-attribute",
            "spec_version": "2.1",
            "id": "x-misp-attribute--58e3e9da-6394-4d85-ac57-4029950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "labels": [
                "misp:type=\"mobile-application-id\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ],
            "x_misp_category": "Payload delivery",
            "x_misp_type": "mobile-application-id",
            "x_misp_value": "com.network.android"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3ea29-86c0-4bb3-ab7b-40fb950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "Pegasus for Android Samples",
            "pattern": "[file:hashes.SHA256 = '3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3ea87-fe34-448b-9b9e-4895950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "com.network.android",
            "pattern": "[file:hashes.SHA256 = '98ca5f94638768e7b58889bb5df4584bf5b6af56b188da48c10a02648791b30c']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3ea88-e9dc-47c8-a4cc-4c6f950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "com.binary.sms.receiver",
            "pattern": "[file:hashes.SHA256 = '9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3ea89-1f78-412f-9941-4ac9950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "com.android.copy",
            "pattern": "[file:hashes.SHA256 = 'e384694d3d17cd88ec3a66c740c6398e07b8ee401320ca61e26bdf96c20485b4']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3ea8a-2ca8-4972-8749-454e950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "com.android.copy",
            "pattern": "[file:hashes.SHA256 = '12e085ab85db887438655feebd249127d813e31df766f8c7b009f9519916e389']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3ea8b-f844-4e71-a327-4547950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "com.android.copy",
            "pattern": "[file:hashes.SHA256 = '6348104f8ef22eba5ac8ee737b192887629de987badbb1642e347d0dd01420f8']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha256\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3eae1-8228-455b-b542-4227950d210f",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:11.000Z",
            "modified": "2017-04-04T18:51:11.000Z",
            "description": "com.network.android",
            "pattern": "[file:hashes.SHA1 = '44f6d1caa257799e57f0ecaf4e2e216178f4cb3d']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:11Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3eb2a-60ec-4774-ba81-4ccf02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:22.000Z",
            "modified": "2017-04-04T18:51:22.000Z",
            "description": "com.binary.sms.receiver - Xchecked via VT: 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae",
            "pattern": "[file:hashes.SHA1 = '28f570754274db96bffa7ac4a53a5ede3508d82c']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:22Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3eb2b-fec4-4fbb-9136-449b02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:23.000Z",
            "modified": "2017-04-04T18:51:23.000Z",
            "description": "com.binary.sms.receiver - Xchecked via VT: 9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae",
            "pattern": "[file:hashes.MD5 = 'cc9517aafb58279091ac17533293edc1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:23Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:24.000Z",
            "modified": "2017-04-04T18:51:24.000Z",
            "first_observed": "2017-04-04T18:51:24Z",
            "last_observed": "2017-04-04T18:51:24Z",
            "number_observed": 1,
            "object_refs": [
                "url--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58e3eb2c-c470-4d5b-9b5a-4e2f02de0b81",
            "value": "https://www.virustotal.com/file/9fae5d148b89001555132c896879652fe1ca633d35271db34622248e048c78ae/analysis/1491317706/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3eb2d-75e0-4eb4-a396-483c02de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:25.000Z",
            "modified": "2017-04-04T18:51:25.000Z",
            "description": "Pegasus for Android Samples - Xchecked via VT: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86",
            "pattern": "[file:hashes.SHA1 = 'b6850881561265d89597d0d245b33dba3d7d3f47']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:25Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3eb2e-9fc8-41a4-b604-4d7802de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:26.000Z",
            "modified": "2017-04-04T18:51:26.000Z",
            "description": "Pegasus for Android Samples - Xchecked via VT: 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86",
            "pattern": "[file:hashes.MD5 = '3a69bfbe5bc83c4df938177e05cd7c7c']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:26Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58e3eb2f-b968-413f-82c3-41f102de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:27.000Z",
            "modified": "2017-04-04T18:51:27.000Z",
            "first_observed": "2017-04-04T18:51:27Z",
            "last_observed": "2017-04-04T18:51:27Z",
            "number_observed": 1,
            "object_refs": [
                "url--58e3eb2f-b968-413f-82c3-41f102de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58e3eb2f-b968-413f-82c3-41f102de0b81",
            "value": "https://www.virustotal.com/file/3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86/analysis/1491309077/"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3eb30-c914-457f-8fbd-4d7602de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:28.000Z",
            "modified": "2017-04-04T18:51:28.000Z",
            "description": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target - Xchecked via VT: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5",
            "pattern": "[file:hashes.SHA1 = 'e5920f3723e62e1850157f09baf556006bf80f74']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:28Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"sha1\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--58e3eb31-3b7c-4aff-bf5b-494602de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:29.000Z",
            "modified": "2017-04-04T18:51:29.000Z",
            "description": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target - Xchecked via VT: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5",
            "pattern": "[file:hashes.MD5 = '7c3ad8fec33465fed6563bbfabb5b13d']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2017-04-04T18:51:29Z",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "misp-category",
                    "phase_name": "Payload delivery"
                }
            ],
            "labels": [
                "misp:type=\"md5\"",
                "misp:category=\"Payload delivery\"",
                "misp:to_ids=\"True\""
            ]
        },
        {
            "type": "observed-data",
            "spec_version": "2.1",
            "id": "observed-data--58e3eb32-eef4-4ed4-b8a4-42b802de0b81",
            "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
            "created": "2017-04-04T18:51:30.000Z",
            "modified": "2017-04-04T18:51:30.000Z",
            "first_observed": "2017-04-04T18:51:30Z",
            "last_observed": "2017-04-04T18:51:30Z",
            "number_observed": 1,
            "object_refs": [
                "url--58e3eb32-eef4-4ed4-b8a4-42b802de0b81"
            ],
            "labels": [
                "misp:type=\"link\"",
                "misp:category=\"External analysis\""
            ]
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--58e3eb32-eef4-4ed4-b8a4-42b802de0b81",
            "value": "https://www.virustotal.com/file/ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5/analysis/1491313777/"
        },
        {
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:WHITE",
            "definition": {
                "tlp": "white"
            }
        }
    ]
}